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CLAIMS 

1. A firewall (3), controlling network data packet 
traffic between internal and external networks (1,5,4), 
comprising filtering means, in dependence of the contents 

5 in data fields of a data packet being transmitted between 
said networks, selecting from a total set of rules a rule 
applicable to the data packet, whereby said packet is 
blocked or forwarded through the firewall (3), 
characterized by 2-dimensional address lookup 

10 means (8) performing a 2-dimensional lookup of the source 
and destination addresses of the packet in a set of address 
prefixes, each prefix having a subset of rules of the total 
set of rules, in order to find a prefix associated with 
said source and destination addresses, and rule matching 

15 means (10), performing - based on the contents of said data 
fields - a rule matching in order to find the rule applic- 
able to the data packet. 

2. A firewall according to claim 1, 

20 characterized by a fragmenting machine (11) 

fragmenting packets being too large to be handled and com- 
prising fragment collecting means collecting packet frag- 
ments from a fragmented packet until a fragment header of 
said packet is received, fragment header storing means 

25 storing in an entry means information present in a fragment 
header field of the packet, fragment forwarding means 
forwarding packet fragments provided with fragment header 
information starting with the fragment header, wherein each 
fragment is processed by the filtering means as a regular 

30 unfragmented packet. 



3. A firewall according 
characterized by 
means (12,14), translating in 
35 in the prefix internal source 



to claim 1 or 2, 
network address translation 
dependence of the information 
addresses to external source 
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addresses of a packet transmitted 
(3) , or external source addresses 
addresses of a packet transmitted 

(3) . 

5 

4. A firewall according to claim 1 or 2, 
characterized by network address translation 
means (12, 14), translating in depending of the information 
in the prefix internal source addresses to external source 

10 addresses of a packet transmitted from the internal network 
(1) to the external network (4), or external source 
addresses to internal source addresses of a packet 
transmitted from the external network (4) to the internal 
network ( 1) . 

15 

5. A firewall according to any of the preceding 
claims, characterized by hole punching means 
(16,17), based on the information in the prefix determining 
if said packet is subject to a temporary exception from an 

20 external-to-internal blocking rule for a connection 
initiated from the internal network, wherein a return 
channel for packets transmitted from the external network 

(4) to the internal network (1) is established through the 
firewall during the lifetime of the connection. 

25 

6. A firewall (3), controlling network data packet 
traffic between internal and external networks (1,5,4), 
comprising filtering means, in dependence of the contents 
in data fields of a data packet being transmitted between 

30 said networks, selecting from a total set of rules a rule 
applicable to the data packet, whereby said packet is 
blocked or forwarded through the firewall (3), 
characterized by a fragmenting machine (11) 
fragmenting data packets being too large to be handled and 

35 comprising fragment collecting means collecting packet 



out through the firewall 

to internal source 

in through the firewall 
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fragments from a fragmented packet until a fragment header 
of said packet is received, fragment header storing means 
storing in an entry means information present in a fragment 
header field of the packet, fragment forwarding means 
5 forwarding packet fragments provided with fragment header 
information starting with the fragment header, wherein each 
fragment is processed by the filtering means as a regular 
unfragmented packet. 

10 7 . A method of controlling network data packet 

traffic between internal (1,5) and external networks (4) 
through a firewall (3) , comprising the steps of, 

in dependence of the contents in the data fields of a 
data packet being transmitted between said networks, 
15 selecting from a total set of rules a rule applicable to 
the data packet, 

applying said rule on said packet, 

and depending on the rule blocking or forwarding said 
packet through the firewall (3) , 
20 characterized in that said filtering 

comprises the further steps of: 

performing a 2-dimensional lookup of the source and 
destination addresses of the packet in order to find a 
prefix associated with said source and destination 
25 addresses in a set of address prefixes, each prefix having 
a subset of rules of the total set of rules, 

and based on the contents of said data fields of the 
packet, performing a rule matching on the subset of rules 
in order to find the rule applicable to the data packet. 

30 

8. A method according to claim 7, 
characterized in that preceding the step of 
selecting a rule applicable to the data packet it comprises 
the further steps of: 
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collecting packet fragments from a fragmented packet 
until a fragment header of said packet is received, 

storing in an entry means information present in a 
fragment header field of the packet, and 
5 forwarding packet fragments provided with fragment 

header information starting with the fragment header, 
wherein each fragment is processed by the filtering means 
as a regular unfragmented packet. 

10 9. A method according to claim 7 or 8, 

characterized in that preceding the step of 
performing a rule matching it comprises the further step 
of: 

depending on the information in the prefix, 
15 translating the external source address to an internal 

source address of a packet to be transmitted in through the 
firewall (3) . 

10. A method according to any of the preceding claims 
20 7-9, characterized in that preceding the step 

of performing a rule matching it comprises the further step 
of: 

depending on the information in the prefix, 
translating the external source address to an internal 
25 source address of a packet to be transmitted from the 
external network (4) to the internal network (1,5). 

11. A method according to to any of the preceding 
claims claims 7-10, characterized by the 

30 further step of: 

depending on the information in the prefix 
translating the internal source address to an external 
source address of a packet to be transmitted out through 
the firewall (3) . 



35 
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12 . A method according to any of the preceding claims 
7-11, characterized by the further step of: 

depending on the information in the prefix 
translating the internal source address to an external 
5 source address of a packet to be transmitted from the 
internal network (4) to the external network (1). 

13. A method according to any of the preceding claims 
7-12, characterized in that preceding the step 

10 of performing a rule matching it comprises the further 
steps of : 

based on the information in the prefix, determining 
if said packet is subject to a temporary exception from an 
external-to-internal blocking rule for a connection 
15 initiated from the internal network (1), 

if so, establishing a return channel for packets 
transmitted from the external network (4) to the internal 
network (1) through the firewall (3) , having a duration 
corresponding to the lifetime of the connection. 

20 

14 . A method of controlling network data packet 
traffic between internal and external networks (1,5,4) 
through a firewall (3), comprising the steps of, 

in dependence of the contents in the data fields of a 
25 data packet being transmitted between said networks, 

selecting from a total set of rules a rule applicable to 
the data packet, 

applying said rule on said packet, 

and depending on the rule blocking or forwarding said 
30 packet through the firewall (3), characterized 
in that preceding the step of selecting a rule applicable 
to the data packet it comprises the further steps of: 

collecting packet fragments from a fragmented packet 
until a fragment header of said packet is received, 



990630 e:\public\doc\p\3729004.t3oc JA/lj 



34 



storing in an entry means information present in a 
fragment header field of the packet, and 

forwarding packet fragments provided with fragment 
header information starting with the fragment header, 
wherein each fragment is processed by the filtering means 
as a regular unfragmented packet. 



